from the failing-to-meet-the-super-low-expectations-we-have-for-ICE dept

ICE continues to make its own case for abolishment. The agency busies itself with neglecting detainees when not acting as the extension of major corporations to shut down infringing panties/websites. ICE is too big and it's getting bigger at a rate it can't sustain. To achieve the ends the President has set down for it, it's wearing itself thin trying to find the dangerous immigrants Trump keeps talking about or the bound-and-gagged women he insists are being brought across the border by the truckload.

It seemingly doesn't have the manpower to even capture just dangerous foreigners. Instead of using its resources more carefully, it's doing things like setting up fake colleges to capture dangerous criminals immigrants seeking educational opportunities. And it's continuing to outsource its responsibilities while taking an apparent hands-off approach to third party detention.

ICE's Inspector General released a report last summer stating the agency was failing to inspect detention facilities often enough or well enough. It found contractors performing government work were doing the job poorly. Detainees weren't being interviewed properly or given translators to overcome speech barriers. In some cases, detention personnel were not giving detainees access to services like phone calls to the ICE officers handling their cases. In some facilities, dangerous detainees were intermingled with non-criminals. In almost every case, ICE issued a waiver for deficiencies it actually observed. As far as the OIG could tell, dozens of deficiencies went unnoticed thanks to ICE's inability (or unwillingness) to perform mandatory inspections.

There's more bad news coming from the OIG's office about ICE's use of contractors to handle detainees. The latest report [PDF] delves into ICE's apparent unwillingness to hold anyone accountable. ICE can't be trusted to police itself, so it obviously can't be trusted to police its contractors.

This is the Inspector General's ultra-dry summary of the problems it discovered:

ICE does not adequately hold detention facility contractors accountable for not meeting performance standards. ICE fails to consistently include its quality assurance surveillance plan (QASP) in facility contracts. The QASP provides tools for ensuring facilities meet performance standards. Only 28 out of 106 contracts we reviewed contained the QASP.

That's only the beginning of it. From this missing paperwork, ICE moves even further away from anything resembling accountability. As was detailed in the last report, the IG points out ICE's "solution" to the few deficiencies it does decide to do anything about is the issuance of waivers, which magically make deficiencies acceptable protocol. ICE calls this a "multilayered" approach. The IG calls it nonexistent.

Between October 1, 2015, and June 30, 2018, ICE imposed financial penalties on only two occasions, despite documenting thousands of instances of the facilities’ failures to comply with detention standards. Instead of holding facilities accountable through financial penalties, ICE issued waivers to facilities with deficient conditions, seeking to exempt them from having to comply with certain detention standards. However, ICE has no formal policies and procedures about the waiver process and has allowed officials without clear authority to grant waivers. ICE also does not ensure key stakeholders have access to approved waivers.

To be more precise, ICE only imposed financial penalties twice, despite observing a jaw-dropping 14,003 deficiencies over the course of three years. ICE is blowing taxpayer money and expecting nothing in return. What's detailed in this report -- along with the IG release from last year -- is an agency repeatedly abusing the public's trust.

Our review of the corresponding payment data identified about $3.9 million in deductions, representing only 0.13 percent of the more than $3 billion in total payments to contractors during the same timeframe. ICE did not impose any withholdings during this timeframe.

When the agency whitewashes bad behavior by contractors, there's no paper trail. There's no follow up. And everyone involved seems to have no idea what's going on other than no one's going to be held responsible for their actions.

We analyzed the 68 waiver requests submitted between September 2016 and July 2018. Custody Management approved 96 percent of these requests, including waivers of safety and security standards.

Despite this high approval rate, ICE could not provide us with any guidance on the waiver process. Key officials admitted there are no policies, procedures, guidance documents, or instructions to explain how to review waiver requests. The only pertinent documents that ICE provided were examples of memoranda that Field Office Directors could use to request waivers of the detention standards’ provisions on strip searches. However, the memoranda did not acknowledge the important constitutional and policy interests implicated by a facility’s use of strip searches. ICE officials did not explain how Custody Management should handle such waiver requests when a contrary contractual provision requires compliance with a strip search standard.

ICE is handing out waivers for private companies to violate Constitutional protections afforded to detainees. These waivers are almost always indefinite. Each waiver is supposed to be followed up on to ensure the "deficiency" has been eliminated by the contractor. ICE has performed zero reviews or reassessments of these waivers.

The waivers have approved unconstitutional strip searches, as detailed above. They've also approved the commingling of violent criminals in general population, and the use of a chemical ten times more toxic than pepper spray to subdue detainees. As the report notes, detainees are being seriously harmed by the lax standards deployed by contractors, and ICE's response has been to shrug and issue waivers.

ICE is an active partner in the dehumanizing of immigrants, allowing private contractors to treat the human beings they're supposed to be taking care of like pieces of meat to be exchanged for cash. It's no better than ICE treats detainees itself, but a federal agency should be ensuring its very existence isn't a cancerous growth on the soul of this nation.

from the that's-going-to-make-things-tricky dept

For the last few months, we've been discussing a few different legal disputes over the nature of drivers for services like Lyft and Uber, and whether or not they should be classified as "employees" or "contractors" (or W-2's or 1099s -- based on what kind of tax forms they get). Florida's Department of Economic Opportunity has said such drivers are employees and a judge in California appears to be leaning that way as well. However, leapfrogging that process, California's Labor Commission has now declared an Uber driver an employee, rather than a contractor.

You can read the full ruling to see the reasoning. The actual dispute isn't all that interesting -- involving whether or not Uber should be paying a woman directly or a corporate entity she set up. But the key part is the analysis of "employee" v. "contractor." And under the Labor Commission's analysis, it very, very, very broadly defines these relationships. Basically, it lists out the usual factors about how much control the parties have over the job, who supplies the tools, the kind of occupation, the degree of permanence and all that... and then just says "yup, employee." Here's are the key parts, plus some analysis...

Defendants argued that they exercised very little control over Plaintiff's activities.
However, the Borello court found that it was not necessary that a principal exercise
complete control over a worker's activities in order for that worker to be an employee.
"The minimal degree of control that the employer exercised over the details of the world
was not considered dispositive because the work did not require a high degree of skill and
it was an integral part of the employer's business. The employer was thus determined to
be exercising all necessary control over the operation as a whole." (Borello, supra, 48 Cal.3d
at pp. 355-360.)

That seems backwards. Basically the commission is saying "sure you own your own car, but that's not enough." But it's comparing it to a case involving an actual taxi company where the drivers owned their own cars -- but that still involved much more control by the taxi company over the drivers and what they did as compared to Uber, where you just have an app and can turn it on and off at will.

By obtaining the clients in need of the service and providing the workers to conduct
it, Defendants retained all necessary control over the operation as a whole. The party
seeking to avoid liability has the burden of proving that persons whose services he has
retained are independent contractors rather than employees. In other words, there is a
presumption of employment. (Labor Code 3357; Borello, supra, at pp. 349, 354.)

But under that theory anyone selling goods on eBay or Etsy should be considered employees as well. And that's crazy. It shouldn't be a presumption of employment just because someone is using your platform.

Ownership of the vehicle used to perform the work may be a much less important
factor in industries other than transportation. Even under the traditional, pre-Borello
common law standard, a person making pizza deliveries was held to be an employee of:
the pizzeria, notwithstanding the fact that the delivery person was required to provide his
own car and pay for gasoline and insurance. (Toyota Motor Sales 0. Superior Court (1990) 220
Cal.App.3d 864, 876.)

Again, this isn't saying anything other than "well, we don't really care who owns the car" even though the rules state that who provides the equipment is a key part of determining the status of the relationship.

"The modern tendency is to find employment when the work being done is an
integral part of the regular business of the employer, and when the worker, relative to the
employer, does not furnish an independent business or professional service." (Borello,
supra, at p. 357.) Plaintiff's work was integral to Defendants' business. Defendants are in
business to provide transportation services to passengers. Plaintiff did the actual
transporting of those passengers. Without drivers such as Plaintiff, Defendants' business
would not exist.

Again, that kind of analysis would wipe out eBay and Etsy. Just because someone is using your platform, it doesn't make them an employee. And Uber is not in the business of providing transportation. It provides a service to connect drivers to riders. That's a key distinction -- one the Labor Commission basically dismisses:

Defendants hold themselves out as nothing more than a neutral technological
platform, designed simply to enable drivers and passengers to transact the business oft
transportation. The reality, however, is that Defendants are involved in every aspect of
the operation. Defendants vet prospective drivers, who must provide to Defendants their
personal banking and residence information, as well as their Social Security Number.
Drivers cannot use Defendants' application unless they pass Defendants' background and
DMV checks.

This seems ridiculous. By this argument, Uber would be better off if it did not vet the backgrounds of its drivers? How does that make sense? Furthermore, if you were hiring a contractor for something like, say, fixing your roof, wouldn't you "vet" their background, check their contractor's license and the like? How does that make them any more of an employee?

Defendants control the tools the drivers use; for example, drivers must register
their cars with Defendants, and none of their cars can be more than ten years old
Defendants refer to "industry standards" with respect to drivers' cars, however, it is
unclear to what industry, other than the "taxi" industry, Defendants are referring.
Defendants monitor the Transportation Drivers' approval ratings and terminate their
access to the application if the rating falls below a specific level (4.6 stars).

That's an odd definition of "control." Yes, they have standards, but that's not "control." Again, going with the roofer example, I might want to make sure that the roofer is using modern tools that will guarantee a better job, and I might make sure that they're up on the various building "industry standards" to make sure they'll do a good job. And I might fire them if they're doing a crappy job on the roof. Still doesn't make them an "employee."

While Defendants permit their drivers to hire people, no one other than Defendants'
approved and registered drivers are allowed to use Defendants' intellectual property.
Drivers do not pay Defendants to use their intellectual property.

Again, so what? No one other than approved contractors are allowed up on my roof and they don't pay a fee to access my roof.

The passengers pay Defendants a set price for the trip, and Defendants, in turn, pay
their drivers a non-negotiable service fee. If a passenger cancels a trip request after the
driver has accepted it, and the driver has appeared at the pick-up location, the driver is not
guaranteed a cancellation fee. Defendants alone have the discretion to negotiate this fed
with the passenger. Defendants discourage drivers from accepting tips because it would
be counterproductive to Defendants' advertising and marketing strategy.

To be honest, this is the only point in the entire argument that even has some resonance, in that Uber does control the pricing. But that, alone, hardly seems to be enough to determine an employer relationship. Would that mean that a service like Fiverr -- where creative people agree to do things for $5 -- creates employees just because it sets the price. There are all different ways to create a marketplace and setting the price shouldn't determine the nature of the relationship.

Plaintiff's car and her labor were her only assets.

Of course, that's kind of everything involved here. And if she's providing all of those assets, it seems like a pretty strong argument for contractor, rather than employee.

Plaintiff's work did not entail and
"managerial" skills that could affect profit or loss. Aside from her car, Plaintiff had no
investment in the business. Defendants provided the iPhone application, which was
essential to the work. But for Defendants' intellectual property, Plaintiff would not have
been able to perform the work.

It's that "but for" line that's really ridiculous. Sure, the Plaintiff absolutely can drive people around without Uber. Or she could have signed up for any one of a number of similar platforms like Lyft or Sidecar. Or she could do deliveries for Postmates, Shyp, Instacart, Doordash or more.

In light of the above, Plaintiff was Defendants' employee. Therefore, the Labor
Commissioner has jurisdiction to adjudicate the instant matter.

In light of the above, I'm not sure that there can be platforms on the internet that help people make money without them being declared employees. Sell music on iTunes? You might be an Apple employee. Sell toys on eBay? You might be an eBay employee.

And yes, I recognize that some people will argue that Uber drivers may not be the best job in the world and they're very much at the whims of Uber (ignoring all the other companies in the space they can go work for instead...). But this kind of decision really, really hurts everyone, including Uber drivers. It will mean vastly fewer opportunities for those drivers, and much greater controls over those drivers. It will lead to much less flexibility, fewer freedoms and a much more limited role for those drivers.

There is a reasonable argument to be had that perhaps we need a new form of classification that is somewhere between the traditional 1099 or W-2 worker, but it's hard to see how the Labor Commission came to this conclusion without throwing out many, many, many contractor positions and suggesting that they might all be employees. That's very dangerous for a part of the economy that is currently thriving and rapidly growing. This move to "protect" workers has a high likelihood of doing the exact opposite, creating many fewer work opportunities for everyone, and making a service that many people like to use a lot worse.

And, again, I know that some people don't like Uber because of some of its business practices, but whether or not you "like" Uber should be separate from this particular question. The people celebrating this decision don't seem to recognize how much damage it actually does to their own position. Either way, Uber has already appealed the decision and it will be quite some time before any final ruling is issued.

from the that's-a-problem dept

There are a series of big important lawsuits currently under way, exploring the question of whether or not drivers for ride hailing services like Uber and Lyft are "employees" or "contractors." It seems fairly obvious that they should be contractors -- they use their own equipment, they set their own schedules, they work on their own, etc. However, some are really trying to have them declared as employees, giving them access to things like regular salaries, overtime pay, benefits and such. It would also, most likely, mean many fewer opportunities for drivers, less flexibility and a lot less innovative a service. While the lawsuits are ongoing, down in Florida, the Department of Economic Opportunity has skipped all the judicial nonsense and just declared that Uber drivers are employees, allowing them to sign up for unemployment benefits.

This week, Florida notified Cutler Bay’s Darrin McGillis that he was in fact an employee of Uber while driving for the company earlier this year.

“I’m no longer an independent contractor,” the 46-year-old said while driving in the seven-seat Mitsubishi Outlander he bought to boost his Uber income. He’s now hoping there might be a change to pursue reimbursement on gasoline and even overtime. “All these things come into play.”

Yes, you can understand why some drivers want this kind of designation -- but it seems ridiculously short-sighted. It will almost certainly mean fewer opportunities for those drivers and a lot less flexibility. Yes, there are some "on demand" companies that seem to be skirting the rules and having "employees" who they pretend are contractors. But when the participants truly are independent, get to set their own schedule and are using their own equipment, it seems ridiculous to argue that they're anything but independent contractors.

In this particular case, the guy is upset because he chose to buy an SUV for Uber... and then ran into an issue with a passenger accidentally smashing his door into a scooter. Uber's insurance covers drivers, and it appears that the company told him to file a claim for reimbursement over the damage -- but the guy chose to go after the passenger directly -- leading Uber to kick him out of the program. And now he's pissed off that he bought a big SUV that he no longer needs:

The trouble came during the Ultra Music Festival in March. An Uber passenger opened his Outlander’s door only to have it whacked by a scooter, according to McGillis’ account. An email exchange between him and the company show that Uber urged him to file a claim, but McGillis wanted the passenger’s address to pursue reimbursement. Uber refused, citing privacy concerns.

“I am going to the passenger’s home tonight to get their names since you won’t provide them,” McGillis wrote in a March 30 email to an Uber executive.

By April, Uber had deactivated McGillis’ driver account, freezing him out from potential fares. It also paid for the damages. He filed for unemployment benefits, saying he was wrongly terminated. Uber has until June 9 to appeal the state’s ruling. McGillis said he’s living off of savings and facing a $600 monthly car payment he can’t afford.

“I’m a single guy. I don’t need an SUV,” he said. “Here I am in this big car. What am I supposed to do with it?”

This just sounds like someone who doesn't want to take responsibility for his own decisions. No one made him buy the SUV. A few months back, on our podcast about what it's like to drive for Uber & Lyft, we discussed this very issue. Some drivers seem to have unrealistic expectations and are sinking a ton of money into buying new vehicles, without realizing what a massive risk they're taking. But that doesn't mean that the liability for that risk should automatically be shifted over to the companies. But, if this ruling stands, that's how things are moving in Florida, putting a potential damper on important and useful services.

In denying the company's motion for summary judgment, Chen calls Uber out for the "narrow framing" of its "we're an app, not a company" assertions, but notes that Uber does grant its drivers enough leeway that the question cannot be completely resolved via a motion in his court. Chen also raises the spectre of further regulation -- something that's similarly unlikely to work out in Uber's favor.

The application of the traditional test of employment – a test which evolved under an economic model very different from the new “sharing economy” – to Uber’s business model creates significant challenges. Arguably, many of the factors in that test appear outmoded in this context. Other factors, which might arguably be reflective of the current economic realities (such as the proportion of revenues generated and shared by the respective parties, their relative bargaining power, and the range of alternatives available to each), are not expressly encompassed by the Borello test. It may be that the legislature or appellate courts may eventually refine or revise that test in the context of the new economy. It is conceivable that the legislature would enact rules particular to the new so-called “sharing economy.”

And then sends the case on its way to a jury trial, something he notes earlier is the only way to resolve an issue this complex. No precedent is set or will be set, at least not in Chen's court.

Until then, this Court is tasked with applying the traditional multifactor test of Borello and its progeny to the facts at hand. For the reasons stated above, apart from the preliminary finding that Uber drivers are presumptive employees, the Borello test does not yield an unambiguous result. The matter cannot on this record be decided as a matter of law. Uber’s motion for summary judgment is therefore denied.

This order disposes of Docket No. 211.

So, a case that has been running since August of 2013 may still be months away from a resolution. Uber's inability to get the suit tossed doesn't necessarily mean it's destined to become Yet Another Cab Company. It still has options, but it also has an uphill battle against plenty of incumbents… and the politicians who prefer what they know to unfamiliar market entrants.

from the the-fix-is-ALWAYS-in dept

The NSA official, Teresa H. Shea, is director of the Signals Intelligence Directorate, which means she oversees electronic eavesdropping for intelligence purposes. She's held that crucial position since 2010. SIGINT, as it is called, is the bread and butter of NSA espionage operations, and it includes intercepting and decoding phone calls, whether cellular or landline; radio communications; and internet traffic. Shea's directorate was involved in the controversial domestic surveillance program, much of which was revealed by Edward Snowden.

As for Shea’s husband, James, he is currently a vice president at DRS Signal Solutions, part of DRS Technologies, a major American defense contracting company owned by the Italian defense giant Finmeccanica. On his LinkedIn page, he boasts of his “core focus” in “SIGINT systems,” and cites his employer, DRS, for its work in “signals intelligence, cyber, and commercial test and measurement applications.”

Shea's husband is also a resident agent for Telic Networks (Roston calls the company's website "rudimentary," which is a compliment) -- another SIGINT-focused business located in the Sheas' hometown of Ellicott City, Maryland. James Shea declined to comment on this story, somewhat inadvertently.

Telic Networks has a telephone number listed on its website, and on Monday, James Shea answered the phone. "Jim Shea!" he said. But after he was told what the call was about, he said, "I'm in the middle of a meeting right now. I'll try giving you a call later." He didn't answer subsequent calls.

Teresa Shea and her agency have declined to comment beyond some emailed boilerplate about the agency's "robust financial disclosure program" and the NSA's (unproven) track record of heading off conflicts of interest before they become a problem.

Meanwhile, James Shea's DRS Signal Solutions is hiring for a SIGINT-related contract located in Fort Meade, Maryland. The NSA's "robust financial disclosure program" is internal only, so there's no way to tell how this was awarded or the total cost of the contract.

This may seem like a small issue, but there are larger ramifications. The NSA is charged with protecting a nation against threats, but any sort of favoritism that intrudes on bidding processes undermines the quality of the contractor appointed. Handing a contract out to an official's husband doesn't ensure the agency is getting the best company for the job. And if this is commonplace enough, certain bidders will just stop submitting estimates.

Even if what appears to be happening is actually happening, it's only part of much larger incestuous relationship between the government and its contractors. Pure nepotism may be rare, but there's lots of similarly shady tactics being deployed that never trigger ethics probes or recusals.

First off, there's the vested interest in keeping the whole scheme -- national security -- running. This depends on legislators, administration representatives and official spokespeople constantly maintaining a climate of fear. Government agencies -- the NSA included -- put a lot of effort into staying viable year after year with little discernible dropoff in budget. Being truly essential flies under the government radar. Appearing to be completely essential seems to be more important.

The nation's capitol is surrounded by government contractors, most of them setting up shop in Maryland and Virginia. It makes sense to move closer to the money and those who control it. From there, money flows to contractors and some the money flows back -- financial contributions to legislators -- offered in hope of receiving advantageous legislation or budget increases for the agencies they work with. Not only does the money flow back and forth, but so does the personnel. Legislators exit to become board members, lobbyists or figureheads of heavily government-invested companies... and vice versa.

Nothing illegal. Nothing immoral. Nothing but the same gamesmanship and cliqueishness that make the government a closed circuit where money races circles around itself ensuring the longevity of those who manage to make their way inside.

The Sheas' potential ethics conflict is only a marriage certificate away from complete legitimacy. Government agencies will run open bidding and still hand off the project to an inside favorite. Or they'll find loopholes to avoid opening bids at all. There's no way to tell how common this is in the NSA or other agencies covered by the classified "Black Budget," but the cloak of secrecy does a whole lot more than just protect means and methods. It also prevents the American public from uncovering conflicts of interest or questionable bidding processes.

Scott Amey, the general counsel of the nonprofit Project on Government Oversight, objected to such blanket secrecy: “We don’t know how many contracts DRS has, whether they have contracts, what they are for. We’re kind of in the dark, and that’s not how we want our government to operate.”

But yet it does, and it appears to be unlikely to change at any point in the near future. Everyone on the "inside" would like to keep it that way. It keeps companies from having to explain their domestic surveillance offerings and it keeps the ODNI from having to explain why the current secret budget just isn't enough to keep America safe.

from the money-money-money dept

More than four years ago, we wrote about all the buzz that you were hearing about "cyberwar" was little more than an attempt to drum up FUD to get the government to throw billions of dollars at private contractors. We noted that Booz Allen Hamilton (yes, the last employer of one Ed Snowden) had hired former NSA director and also Director of National Intelligence Mike McConnell as its Vice Chairman. He was the leading voice out there screaming about the threat of "cyberwar" getting on TV and having lots of opinion pieces in big name publications -- all of which mentioned his former government jobs, but almost none of which mentioned that his current employer, Booz Allen Hamilton, stood to make billions selling "solutions" to the government. And, indeed, Booz Allen has been raking in the cash on "cybersecurity."

This is worth keeping in mind as you read this fascinating interview with NSA whistleblower, Bill Binney, in which he lays this out plain and simple. The real reason for all this NSA surveillance is about money and power. "Stop terrorism" is secondary. After pointing out that all of this data collection has been basically useless in stopping terrorism (as confirmed by multiple independent accounts of the NSA's activities), the interviewer asks Binney why the NSA keeps doing it:

So why do they keep doing it?

Money. It takes a lot of money, you have to build up Bluffdale [the location of the NSA's data storage center, in Utah] to store all the data. If you collect all the data, you've got to store it, you have to hire more people to analyze it, you have to hire more contractors, managers to manage the flow. You have to start a big data initiative. It's an empire. Look at what they've built! Have you ever looked around all the buildings they've built up because of 9/11?

So that's what it's all about, expanding the budget for the intelligence community?

If you have a problem, you need money to solve it. But if you solve that problem, you no longer have the justification to get money. That's the way they view it - keep the problem going, so the money keeps flowing. Once you build up this big empire, you have to sustain it. ... Look at the influence and power the intelligence community has over the government. They [the government] are giving them everything they want, they're trying to cover up all their tracks and their crimes. Look at the influence and power they're gaining.

As Clay Shirky famously noted years ago, "Institutions will try to preserve the problem to which they are the solution." That appears to absolutely be the case here. It's why there's so much FUD. The NSA and the rest of the intelligence community has built up the threat to be this huge issue that requires huge dollars as well. And once they have the huge dollars and the giant staff, they have to keep that up. So they have to create a continuing problem for which they are the solution -- and since it's all (mostly) done in secret, you get this nefarious circle (as opposed to virtuous), in which more FUD is spread, more money flows in and everyone has to justify themselves to keep it all going.

Whistleblowers like Binney and Snowden actually disrupt that circle and put a threat to the money flows.

from the hidden-costs-of-hidden-backdoors dept

As early as June last year, Techdirt noted that beyond the political fallout of NSA spying, there is a considerable risk that there will be serious economic consequences too. That's because other countries are now aware that one way the NSA has been obtaining sensitive information is through US computer products that have secret backdoors added in some way. In that post, we mentioned that Sweden had banned the country's public bodies from using Google Apps; it looks like Germany is going even further, as reported here in the international edition of the German newspaper Süddeutsche Zeitung:

Germany's black-red "grand coalition" government has now tightened the rules for awarding sensitive public IT contracts. In cases of doubt, suspicious companies will now be excluded from such contracts. And companies now have to sign documents to the effect that no contracts or laws oblige them -- nor can they be coerced -- to pass on confidential data to foreign secret services or security authorities.

The new rule would seem to be aimed primarily at American companies. These companies, as numerous Snowden documents reveal, regularly pass on information to the U.S. spy agencies. At the NSA, a separate Special Sources Operations department deals with cooperation with "strategic partners," as agents call such companies. The companies say they are merely following the laws of the respective country, and so far this explanation has been accepted.

But since April, any company that cannot guarantee that foreign services or authorities will not obtain any of their data is being excluded from federal contracts in Germany. A spokesperson for the Ministry of the Interior said that the aim of the new rule is to prevent "the flow of data worth protecting to foreign security authorities."

It's not yet clear how that new policy will work in practice. The article goes on to point out that one particular company, Computer Sciences Corporation (CSC), known to work for the US secret services, has been receiving plenty of lucrative German government contracts, including testing the German Federal Criminal Police Office's "state Trojan", which we wrote about in 2012, and working with the German Ministry of Justice and Ministry of the Interior. Even if the effects of the new policy are hard to see so far, it's indicative of how the German government is starting to think about and react to the spying revelations. And as further details of NSA subversion of US computer equipment emerge, other governments around the world may well start to do the same.

MuckRock has been filing dozens of FOIA requests in hopes of freeing up info on the many contractors employed by the NSA. Unsurprisingly, this has met with little success. While it did manage to secure 16 pages on French security firm Vupen, its other requests have been met with claims that no responsive documents have been found. This is hard to believe considering some of the requests are about known NSA contractors.

A search for overly broad keywords such as "CNO" and "computer network attack" would be tantamount to conducting a manual search through thousands of folders and then reading each document in order to determine whether the document pertains to a contract.

So, the agency that claims to be able to sift through millions of pieces of communications and data somehow claims it can't wrangle its own data. Of course, the NSA can't even search its own internal email, so asking it to run a keyword search for contract documents is probably out of the question. But this assertion by the NSA is a bit puzzling, as it almost implies a lot of what's being searched for isn't even digitized, as MuckRock points out.

In other words, the NSA is claiming that, for external contractors, large portions of its $10.8 billion budget are tracked primarily through paper indices not searchable even by relatively broad topic.

In addition, the agency's response appears to be saying that they don't even have a designated place to store paper copies of contracts, but place them in folders with other documents.

So, how does the agency track its interactions with its "vendors?" Does it even matter? The agency's own budget is secret (though not so much anymore), so a lack of solid accounting hardly matters. But it's still rather disturbing to see such a deliberately cavalier attitude towards accountability.

How do they keep track of their activities if they don't have an electronic contracts database? How do they, as a complex organization, determine budgetary needs if they cannot easily track their own spending? How do they measure the performance of vendor contracts, if as they claim, the contracts are shuffled to some paper file that may not see the light of day unless someone requests it through a FOIA request?

As MuckRock points out, this obfuscation is likely deliberate. The NSA is a data black hole. Lots of info flows in but it rarely, if ever, leaves. Any questions those charged with approving funding might have can be waved away by citing magic words like "national security," and that's even before its flacks in the halls of Congress start erecting roadblocks.

Almost certainly the NSA has very effective ways of searching its own internal files. After all, its defenders often boast about the number of geniuses it employs. It just has no compelling reason to do so. Even being compelled by courts to kick loose documents has its limits. As we saw just recently, a court order to declassify the government's secret opinion on the Section 215 collections was flat out refused by the DOJ. If the FISA court can't get the government to comply, then average citizens have no chance whatsoever.

MuckRock is continuing to assault the NSA's FOIA defenses. It's hoped that with enough requests, info will be pried loose that will indicate what sorts of keywords generate responsive documents -- and which ones result in ridiculous "this is impossible" statements from the agency.

from the nice-try dept

With all the problems associated with the Healthcare.gov rollout, a bunch of fingers (including ours) pointed at the usual list of government contracting cronies who built the thing. The deal was done under an existing contract (so no open bidding) and involved the same "usual suspects" who have been connected to a number of other large government computer systems debacles. Not included anywhere in the list were companies with experience building large-scale web services -- which you'd think would be helpful here. However, in testimony before Congress, the contractors are insisting that it's not their fault. CGI Federal was the main contractor behind the site, and Cheryl Campbell, a senior VP from the company, is in charge of trying to point fingers elsewhere, mainly at the Centers for Medicare and Medicaid Services (CMS), which CGI Federal says was in charge of the actual building of the site.

CMS serves the important
role of systems
integrator or "quarterback"
on this project and
is
the ultimate
responsible
party
for
the end-to-end performance of
the
overall
Federal Exchange.

Basically: it's the government's fault. We just build the damn thing. If they didn't tell us to build the right thing, or test it properly, well, it's their fault. Also, someone else we won't name is really at fault:

Another
contractor
was awarded the contract for
the Data
Services
Hub portion of
the Federal Exchange.

Oh, and also another unnamed contractor:

The first set of issues
for users
dealt
with the
enterprise
identity
management
(or EIDM)
function provided by another contractor, which allows users to
create secure accounts.

Of course, it's not too difficult to figure out who the "other" contractor is. Because it's on the panel too. QSSI built the Data Services Hub and the "EIDM" functions mentioned, and QSSI is owned by Optum, whose executive vice president Andy Slavitt is testifying as well. And, you know, it's not his fault. First, he insists that the Data Service Hub worked splendidly throughout, no matter what anyone else might say. EIDM, of course, is having some trouble, but that? Why, other vendors are to blame there too:

It is
relevant
to note that
the EIDM tool is
only
one piece
of
the
federal
marketplace’s
registration
and access management
system,
which
involves
multiple
vendors and pieces of
technology.
While the EIDM plays an important role in the registration system,
tools
developed by other vendors handle
critical
functions such as the
user interface, the e-mail that is sent to the user
to confirm registration, the link that the user clicks on to activate the
account, and the web page the user lands on.
All these tools must work together seamlessly
to ensure smooth registration

In other words, if only those other vendors did their job right, the whole thing would work much better. Oh yes, also someone (nameless) decided to change the specs at some late date:

It appears that one of the reasons for the high concurrent volume at the registration system
was a late decision requiring consumers to register for an account before they could browse
for insurance products. This may have driven higher simultaneous usage of the registration
system that wouldn't have occurred if consumers could "window shop" anonymously.

The final note, going back to CGI Federal, is to remind Congress that building websites is really hard.

Unfortunately, in systems this complex with so many
concurrent users, it is not unusual to discover problems that need to be addressed
once the software goes into a live production
environment. This is true regardless of the level of formal
end-to-end performance
testing -- no amount of testing within reasonable time limits can
adequately
replicate a
live environment of this nature.

That's true to some extent, but it doesn't excuse many, many of the overall problems with the system, which did not appear to be built with any recognition of how to build a high-traffic transactional website. While CGI Federal would like to point fingers at everyone else, it was its name on the contract, which it received through questionable means, and it should take at least some responsibility for it. Perhaps, if it was so "complex," it shouldn't have taken on the job.

the NSA planned to investigate at least 4,000 of its employees and contractors in 2013, thanks in part to new software that could detect "anomalous" behavior by the workforce.

He goes on to ask an extremely important question:

How do you run an organization where 4,000 of your employees are suspect? I fear that if the NSA tries to impose ever-more stringent controls, this will create even more disgruntled workers and a larger pool of anomalies. A new "Red Scare" may well follow the Snowden revelations, but making every employee a suspect is likely to backfire.

Even the most anodyne of organizations that can't fully trust 4000 of its employees is in big trouble; if it's one that handles some of the most sensitive information in the world, with the potential to save or cost many lives, that lack of trust is a recipe for disaster on a massive scale. And as Ignatius notes, the more the NSA tries to clamp down on people, the more likely it is to create further Edward Snowdens.

Ignatius also points out that the solution is not to close down, but to open up. By reducing drastically the number of things that are deemed secret in the first place, it would be possible to concentrate on protecting just those that really matter:

The beneficiaries in a no-secrets world will be relatively open societies, such as the United States, that are slowly developing a culture of accountability and disclosure for their intelligence agencies, however painful the process may be. The fewer secrets, the less to protect.

Although it's arguable to what extent the US has developed that "culture of accountability and disclosure" for the NSA yet, as President Obama inches towards admitting the scale of the problem here, the rest of the analysis in Ignatius' piece is well-worth reading.